Using the legacy windows 8.3 filename short code, we bypass the filter to download files. (MMACTF 2016 web 150 writeup)

Introduction

Rotten Uploader was a good challenge but it took a good amount of time to solve it despite being as easy challenge (ofcourse its easy once you know how to do it :P). So here is the challenge description:

Find the secret file.
http://rup.chal.ctf.westerns.tokyo/
Hint1 (2016/09/04 16:31)
The files/directories on the DOCUMENT_ROOT are below four.
download.php
file_list.php
index.php
uploads(directory)
The number of files in the DOCUMENT_ROOT/uploads is 5. The directory have "index.html".
You don't need scan tools.

Challenge

We are presented with a site which can be used to download 3 files namely test.cpp, test.rb and test.c. The download happens through a file named download.php:

1) The uploads/ directory has 5 files in which 4 are known to us. So the 5th file (whose name we don’t know yet) has to be the flag.

2) If we know the filename, we can download it via download.php. The only possible way to know the filename is to get the file_list.php which will contain the list of all files.

3) The string file_list has been blocked by an stripos() function check which is cannot be bypassed easily (as stripos() don’t have any known bypasses).

Solution:

It took a while to understand that the server is running windows. So the question arises, why do they configure the challenge on a windows machine while all others are on linux (Linux is usually prefered for web servers)? Then we came across a legacy windows feature called Windows 8.3 filename and that lead us to the bypass !

So computing the filename, we can use file_l~1.php so the file can be download by sending the following request:download.php?f=../file_l~1.php and this got us the source code of file_list.php